Menu
▾
▴
[Fetchmail-announce] ANNOUNCE: The 6.4.22 release of fetchmail is available (security fixes for CVE-2021-39272, crash fixes, other changes)
|
From: Matthias A. <mat...@gm...> - 2021-09-13 21:06:19
|
Greetings, The 6.4.22 release of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains the security fix for CVE-2021-39272 of 6.4.21 and earlier, fixes some crashes that can be triggered by local configurations, and makes some fixes to authentication and other changes, details below. DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3, and you may want to review COPYING. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.22.tar.lz)= 5e596136660cca9b71f73c0f6fe79cc76db7db2b2dc33c08ad25241ed0cba368 SHA256(fetchmail-6.4.22.tar.xz)= 104379499a1346330a6799f1e20c790211dd07835cb1af5668dfd25de71357f4 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.22 (released 2021-09-13, 30201 LoC): # OPENSSL AND LICENSING NOTE: * fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay license to Apache License v2.0, which is considered incompatible with GPL v2 by the FSF. For implications and details, see the file COPYING. # SECURITY FIXES: * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side LOGINDISABLED with --auth password any more. * On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. * For POP3 connections, only attempt RPA if the authentication type is "any". # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the tagged (= final) response, do not send "*". * On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send a "=" for protocol compliance. * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 has not supported and does not support the separate challenge/response with command continuation) * On IMAP connections, when --auth external is requested but not advertised by the server, log a proper error message. * Fetchmail no longer crashes when attempting a connection with --plugin "" or --plugout "". * Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. * On POP3 connections, the CAPAbilities parser is now caseblind. * Fix segfault on configurations with "defaults ... no envelope". Reported by Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 and happened when plugging memory leaks, which did not account for that the envelope parameter is special when set as "no envelope". The segfault happens in a constant strlen(-1), triggered by trusted local input => no vulnerability. * Fix program abort (SIGABRT) with "internal error" when invalid sslproto is given with OpenSSL 1.1.0 API compatible SSL implementations. # CHANGES: * IMAP: When fetchmail is in not-authenticated state and the server volunteers CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail must and will re-probe explicitly.) * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. (cherry-picked from 6.5 beta branch "legacy_6x") * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ more prominently. The defaults shall not change between 6.4.X releases for compatibility. # TRANSLATIONS: language translations were updated by these fine people: * sq: Besnik Bleta [Albanian] * cs: Petr Pisar [Czech] * eo: Keith Bowes [Esperanto] * fr: Frédéric Marchal [French] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] # CREDITS: * Thanks for testing the release candidates and bug reports to: Corey Halpin, Stefan Eßer. -------------------------------------------------------------------------------- Happy fetches, Matthias |
